[pkg-netfilter-team] Bug#914397: nftables: after Stretch->Buster upgrade, named set needs "auto-merge"

[Gert]

Package: nftables
Version: 0.9.0-1
Severity: normal

Hi,
I make use of a "named set" for blacklisting purposes.
The relevant part in /etc/nftables.conf:

table ip filter {
        set blacklist {
                type ipv4_addr
                flags interval
                include "/etc/ipset-blacklist/ip-blacklist.nft"
        }
}

The file /etc/ipset-blacklist/ip-blacklist.nft is generated from several
sources, its contents are not perfectly organized.

I was running Stretch, and it worked great. I just upgraded to Buster, and now
nftables.service fails to start with this message:

Error: conflicting intervals specified

Ok, apparently the file contains those.
After some Googling, I tried to add "auto-merge" to the blacklist options, and
now it works again.

I thought maybe this change should be documented somewhere for other upgraders,
or handled automatically.
Perhaps I file this bug to the wrong package (maybe it's kernel or release
notes?), but now at least it is known.

Thanks!



-- System Information:
Debian Release: 9.6
  APT prefers stable
  APT policy: (700, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8), LANGUAGE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg                 1.18.25
ii  init-system-helpers  1.48
ii  libc6                2.24-11+deb9u3
ii  libgmp10             2:6.1.2+dfsg-1
ii  libmnl0              1.0.4-2
pn  libnftables0         <none>
pn  libnftnl4            <none>
ii  libreadline7         7.0-3
ii  libxtables12         1.6.0+snapshot20161117-6

nftables recommends no packages.

nftables suggests no packages.